A survey on botnets, issues, threats, methods, detection and prevention

Botnets have become increasingly common and progressively dangerous to both business and domestic networks alike. Due to the Covid-19 pandemic, a large quantity of the population has been performing corporate activities from their homes. This leads to speculation that most computer users and employees working remotely do not have proper defences against botnets, resulting in botnet infection propagating to other devices connected to the target network. Consequently, not only did botnet infection occur within the target user’s machine but also neighbouring devices. The focus of this paper is to review and investigate current state of the art and research works for both methods of infection, such as how a botnet could penetrate a system or network directly or indirectly, and standard detection strategies that had been used in the past. Furthermore, we investigate the capabilities of Artificial Intelligence (AI) to create innovative approaches for botnet detection to enable making predictions as to whether there are botnets present within a network. The paper also discusses methods that threat-actors may be used to infect target devices with botnet code. Machine learning algorithms are examined to determine how they may be used to assist AI-based detection and what advantages and disadvantages they would have to compare the most suitable algorithm businesses could use. Finally, current botnet prevention and countermeasures are discussed to determine how botnets can be prevented from corporate and domestic networks and ensure that future attacks can be prevented

Feature selection and visualization techniques for network anomaly detector

Intrusion detection systems have been widely used as burglar alarms in the computer security field. There are two major types of detection techniques: misuse detection and anomaly detection. Although misuse detection can detect known attacks with lower false positive rate, anomaly detection is capable of detecting any new or varied attempted intrusion as long as the attempted intrusions disturb the normal states of the systems. The network anomaly detector is employed to monitor a segment of network for any suspicious activities based on the sniffered network traffic. The fast speed of network and wide use of encryption techniques make it almost unpractical to read payload information for the network anomaly detector. This work tries to answer the question: What are the best features for network anomaly detector? The main experiment data sets are from 1999 DARPA Lincoln Library off-line intrusion evaluation project since it is still the most comprehensive public benchmark data up to today. Firstly, 43 features of different levels and protocols are defined. Using the first three weeks as training data and last two weeks as testing data, the performance of the features are testified by using 5 different classifiers. Secondly, the feasibility of feature selection is investigated by employing some filter and wrapper techniques such as Correlation Feature Selection, etc. Thirdly, the effect of changing overlap and time window for the network anomaly detector is investigated. At last, GGobi and Mineset are utilized to visualize intrusion detections to save time and effort for system administrators. The results show the capability of our features is not limited to probing attacks and denial of service attacks. They can also detect remote to local attacks and backdoors. The feature selection techniques successfully reduce the dimensionality of the features from 43 to 10 without performance degrading. The three dimensional visualization pictures provide a straightforward view of normal network traffic and malicious attacks. The time plot of key features can be used to aid system administrators to quickly locate the possible intrusions

Windows credential theft: Methods and mitigations

Compromising Windows account credentials, especially in a domain environment, is a critical phase in an attack against an organization. This paper will first survey the most common tools and techniques used to uncover usernames and their plaintext credentials in standard red team procedures. These methods are compared against the new proposed method that uses low level hooking in the local security authority subsystem service to stealthily compromise plaintext credentials upon login. The latter has many advantages over pre-existing tools designed to capture credentials on Windows based computers. Finally, mitigation procedures will be examined that are designed to thwart credential theft or limit further domain compromise

The Proceedings of 15th Australian Information Security Management Conference, 5-6 December, 2017, Edith Cowan University, Perth, Australia

Conference Foreword The annual Security Congress, run by the Security Research Institute at Edith Cowan University, includes the Australian Information Security and Management Conference. Now in its fifteenth year, the conference remains popular for its diverse content and mixture of technical research and discussion papers. The area of information security and management continues to be varied, as is reflected by the wide variety of subject matter covered by the papers this year. The papers cover topics from vulnerabilities in “Internet of Things” protocols through to improvements in biometric identification algorithms and surveillance camera weaknesses. The conference has drawn interest and papers from within Australia and internationally. All submitted papers were subject to a double blind peer review process. Twenty two papers were submitted from Australia and overseas, of which eighteen were accepted for final presentation and publication. We wish to thank the reviewers for kindly volunteering their time and expertise in support of this event. We would also like to thank the conference committee who have organised yet another successful congress. Events such as this are impossible without the tireless efforts of such people in reviewing and editing the conference papers, and assisting with the planning, organisation and execution of the conference. To our sponsors, also a vote of thanks for both the financial and moral support provided to the conference. Finally, thank you to the administrative and technical staff, and students of the ECU Security Research Institute for their contributions to the running of the conference

Using Botnet Technologies to Counteract Network Traffic Analysis

Botnets have been problematic for over a decade. They are used to launch malicious activities including DDoS (Distributed-Denial-of-Service), spamming, identity theft, unauthorized bitcoin mining and malware distribution. A recent nation-wide DDoS attacks caused by the Mirai botnet on 10/21/2016 involving 10s of millions of IP addresses took down Twitter, Spotify, Reddit, The New York Times, Pinterest, PayPal and other major websites. In response to take-down campaigns by security personnel, botmasters have developed technologies to evade detection. The most widely used evasion technique is DNS fast-flux, where the botmaster frequently changes the mapping between domain names and IP addresses of the C&C server so that it will be too late or too costly to trace the C&C server locations. Domain names generated with Domain Generation Algorithms (DGAs) are used as the \u27rendezvous\u27 points between botmasters and bots. This work focuses on how to apply botnet technologies (fast-flux and DGA) to counteract network traffic analysis, therefore protecting user privacy. A better understanding of botnet technologies also helps us be pro-active in defending against botnets. First, we proposed two new DGAs using hidden Markov models (HMMs) and Probabilistic Context-Free Grammars (PCFGs) which can evade current detection methods and systems. Also, we developed two HMM-based DGA detection methods that can detect the botnet DGA-generated domain names with/without training sets. This helps security personnel understand the botnet phenomenon and develop pro-active tools to detect botnets. Second, we developed a distributed proxy system using fast-flux to evade national censorship and surveillance. The goal is to help journalists, human right advocates and NGOs in West Africa to have a secure and free Internet. Then we developed a covert data transport protocol to transform arbitrary message into real DNS traffic. We encode the message into benign-looking domain names generated by an HMM, which represents the statistical features of legitimate domain names. This can be used to evade Deep Packet Inspection (DPI) and protect user privacy in a two-way communication. Both applications serve as examples of applying botnet technologies to legitimate use. Finally, we proposed a new protocol obfuscation technique by transforming arbitrary network protocol into another (Network Time Protocol and a video game protocol of Minecraft as examples) in terms of packet syntax and side-channel features (inter-packet delay and packet size). This research uses botnet technologies to help normal users have secure and private communications over the Internet. From our botnet research, we conclude that network traffic is a malleable and artificial construct. Although existing patterns are easy to detect and characterize, they are also subject to modification and mimicry. This means that we can construct transducers to make any communication pattern look like any other communication pattern. This is neither bad nor good for security. It is a fact that we need to accept and use as best we can

Achieving cyber resiliency against lateral movement through detection and response

Systems and attacks are becoming more complex, and classical cyber security methods are failing to protect and secure those systems. We believe that systems must be built to be resilient to attacks. Cyber resilience is a dynamic protection strategy that aims to stop cyber attacks while maintaining an acceptable level of service. The strategy monitors a system to detect cyber incidents, and dynamically changes the state of the system to learn about the incidents, contain an attack, and recover. Thus, instead of being perfectly protected, a cyber-resilient system survives a cyber incident by containing the attack and recovering while maintaining service. Cyber resiliency has the potential to secure the modern systems that control our critical infrastructure. However, several practical and theoretical challenges hinder the development of cyber-resilient architectures. In particular, an architecture needs to support and make use of a large amount of monitoring; the problem is especially serious for a large network in which hosts send low-level information for fusion. The problem is not only computational; the semantics of the data also creates a challenge. In combining information from multiple sources and across multiple abstractions, we need to realize that the sources are describing different events in the system which are occurring at varying time scales. Moreover, the system is dependent on the integrity of the monitoring data when estimating the state of the system. The estimated state is used to detect malicious activities and to drive responses. The integrity of the monitoring data is critical to making “correct” decisions that are not influenced by the attacker. In addition, choosing an appropriate response to specific attacks requires knowledge of the at- tackers’ behavior, i.e., an attacker model. If the attacker model is wrong, then the responses selected by the mechanism will be ineffective. Finally, the response mechanisms need to be proven effective in maintaining the resilience of the system. Proving such properties is particularly challenging when the systems are highly complex. In this dissertation, we propose a resiliency architecture that uses a model of the system to deploy monitors, estimates the state of the system using monitor data, and selects responses to contain and recover from attacks while maintaining service. Then we describe our design for the essential components of the said resiliency architecture for a multitude of systems including operating systems, hosts, and enterprise net- works, to address lateral movement attacks. Specifically, we have built components that address monitor design, fusion of monitoring data, and response. Our pieces address the challenges that face cyber-resilient architectures. We set out to provide resilience against lateral movement. Lateral movement is a step taken by an attacker to shift his or her position from an initial compromised host into a target host with high value. First, we designed a host-level monitor Kobra that generates different estimations of the state of a host. Kobra combines the various aspects of application behavior into multiple views: (1) a discrete time signal used for anomaly detection, and (2) a host-level process communication graph to correlate events that happen in a network. We use the host correlations to generate chains of network events that correspond to suspicious lateral movement behavior. We use a novel fusion framework that enables us to fuse monitoring events for different sources over a hierarchy. Finally, we respond to lateral movement by changing the topology and healing rates in the network. The changes are enacted by a feedback controller to slow down and stop the spread of the attack. Since our cyber resiliency architecture depends on the integrity of the monitoring data, we propose PowerAlert, an out-of-box integrity checker, to establish the “trustworthiness” of a machine. PowerAlert is resilient to attacker evasion and adaptation. It uses the current drawn by the CPU, measured using an external probe, to confirm that the machine executed the check as expected. To prevent an attacker from evading PowerAlert, we use an optimal initiation strategy, and to resist adaptation, we use randomly generated integrity-checking programs. We pick the optimal initiation strategy by modeling the problem of low-cost integrity checking when an attacker is attempting to evade detection as a continuous-time game called Tireless. The optimal strategy is the Nash equilibrium that optimizes the defender’s cost of checking and utility of detection against an adaptive attacker

SoK: Security of Programmable Logic Controllers

Billions of people rely on essential utility and manufacturing infrastructures such as water treatment plants, energy management, and food production. Our dependence on reliable infrastructures makes them valuable targets for cyberattacks. One of the prime targets for adversaries attacking physical infrastructures are Programmable Logic Controllers (PLCs) because they connect the cyber and physical worlds. In this study, we conduct the first comprehensive systematization of knowledge that explores the security of PLCs: We present an in-depth analysis of PLC attacks and defenses and discover trends in the security of PLCs from the last 17 years of research. We introduce a novel threat taxonomy for PLCs and Industrial Control Systems (ICS). Finally, we identify and point out research gaps that, if left ignored, could lead to new catastrophic attacks against critical infrastructures.Comment: 25 pages, 13 figures, Extended version February 2024, A shortened version is to be published in the 33rd USENIX Security Symposium, for more information, see https://efrenlopez.org

Unveiling flat traffic on the internet: An SSH attack case study

Many types of brute-force attacks are known to exhibit a characteristic ‘flat’ behavior at the network-level, meaning that connections belonging to an attack feature a similar number of packets and bytes, and duration. Flat traffic usually results from repeating similar application-layer actions, such as login attempts in a brute-force attack. For typical attacks, hundreds of attempts span over multiple connections, with each connection containing the same, small number of attempts. The characteristic flat behavior is used by many Intrusion Detection Systems (IDSes), both for identifying the presence of attacks and — once detected — for observing deviations, pointing out potential compromises, for example. However, flatness of network traffic may become indistinct when TCP retransmissions and control information come into play. These TCP phenomena affect not only intrusion detection, but also other forms of network traffic analysis. The contribution of this work is twofold. First, we analyze the impact of retransmissions and control information on network traffic based on traffic measurements. To do so, we have developed a flow exporter extension that was deployed in both a campus and a backbone network. Second, we show that intrusion detection results improve dramatically by up to 16 percentage points once IDSes are able to ‘flatten’ network traffic again, which we have validated by means of analyzing log files of almost 60 hosts over a period of one month

Detection and prevention of username enumeration attack on SSH protocol: machine learning approach

A Dissertation Submitted in Partial Fulfillment of the Requirement for the Degree of Master’s in Information System and Network Security of the Nelson Mandela African Institution of Science and TechnologyOver the last two decades (2000–2020), the Internet has rapidly evolved, resulting in symmetrical and asymmetrical Internet consumption patterns and billions of users worldwide. With the immense rise of the Internet, attacks and malicious behaviors pose a huge threat to our computing environment. Brute-force attack is among the most prominent and commonly used attacks, achieved out using password-attack tools, a wordlist dictionary, and a usernames list – obtained through a so – called an enumeration attack. In this study, we investigate username enumeration attack detection on SSH protocol by using machine-learning classifiers. We apply four asymmetrical classifiers on our generated dataset collected from a closed environment network to build machine-learning-based models for attack detection. The use of several machine-learners offers a wider investigation spectrum of the classifiers’ ability in attack detection. Additionally, we investigate how beneficial it is to include or exclude network ports information as features-set in the process of learning. We evaluated and compared the performances of machine-learning models for both cases. The models used are k-nearest neighbor (KNN), naïve Bayes (NB), random forest (RF) and decision tree (DT) with and without ports information. Our results show that machine-learning approaches to detect SSH username enumeration attacks were quite successful, with KNN having an accuracy of 99.93%, NB 95.70%, RF 99.92%, and DT 99.88%. Furthermore, the results improved when using ports information. The best selected model was then deployed into intrusion detection and prevention system (IDS/IPS) to automatically detect and prevent username enumeration attack. Study also recommends the use of Deep Learning in future studies

Design for prognostics and security in field programmable gate arrays (FPGAs).

There is an evolutionary progression of Field Programmable Gate Arrays (FPGAs) toward more complex and high power density architectures such as Systems-on- Chip (SoC) and Adaptive Compute Acceleration Platforms (ACAP). Primarily, this is attributable to the continual transistor miniaturisation and more innovative and efficient IC manufacturing processes. Concurrently, degradation mechanism of Bias Temperature Instability (BTI) has become more pronounced with respect to its ageing impact. It could weaken the reliability of VLSI devices, FPGAs in particular due to their run-time reconfigurability. At the same time, vulnerability of FPGAs to device-level attacks in the increasing cyber and hardware threat environment is also quadrupling as the susceptible reliability realm opens door for the rogue elements to intervene. Insertion of highly stealthy and malicious circuitry, called hardware Trojans, in FPGAs is one of such malicious interventions. On the one hand where such attacks/interventions adversely affect the security ambit of these devices, they also undermine their reliability substantially. Hitherto, the security and reliability are treated as two separate entities impacting the FPGA health. This has resulted in fragmented solutions that do not reflect the true state of the FPGA operational and functional readiness, thereby making them even more prone to hardware attacks. The recent episodes of Spectre and Meltdown vulnerabilities are some of the key examples. This research addresses these concerns by adopting an integrated approach and investigating the FPGA security and reliability as two inter-dependent entities with an additional dimension of health estimation/ prognostics. The design and implementation of a small footprint frequency and threshold voltage-shift detection sensor, a novel hardware Trojan, and an online transistor dynamic scaling circuitry present a viable FPGA security scheme that helps build a strong microarchitectural level defence against unscrupulous hardware attacks. Augmented with an efficient Kernel-based learning technique for FPGA health estimation/prognostics, the optimal integrated solution proves to be more dependable and trustworthy than the prevalent disjointed approach.Samie, Mohammad (Associate)PhD in Transport System